Bug 1020460 (CVE-2017-5505)

Summary: VUL-1: CVE-2017-5505: jasper: invalid memory read in jas_matrix_asl (jas_seq.c)
Product: [Novell Products] SUSE Security Incidents Reporter: Mikhail Kasimov <mikhail.kasimov>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, astieger, fstrba, matthias.gerstner, mvetter, wolfgang.frisch
Version: unspecified   
Target Milestone: unspecified   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/178719/
Whiteboard: CVSSv2:SUSE:CVE-2017-5505:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1020353, 1020451    
Bug Blocks:    

Description Mikhail Kasimov 2017-01-17 17:39:44 UTC 
Ref: http://seclists.org/oss-sec/2017/q1/104
=============================================
Description:
jasper is an open-source initiative to provide a free software-based reference 
implementation of the codec specified in the JPEG-2000 Part-1 standard.

Another round of fuzzing shows that a crafted image causes an invalid memory 
read.

The complete ASan output:

# imginfo -f $FILE
==26941==ERROR: AddressSanitizer: SEGV on unknown address 0x62c80000a400 (pc 
0x7f28c74e48ee bp 0x7ffcececdb70 sp 0x7ffcececdaf0 T0)
==26941==The signal is caused by a READ memory access.
    #0 0x7f28c74e48ed in jas_matrix_asl /tmp/portage/media-
libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/base/jas_seq.c:376:11
    #1 0x7f28c7545f0e in jpc_dec_tiledecode /tmp/portage/media-
libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:1107:6
    #2 0x7f28c7536cdf in jpc_dec_process_sod /tmp/portage/media-
libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:658:7
    #3 0x7f28c75406b3 in jpc_dec_decode /tmp/portage/media-
libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:425:10
    #4 0x7f28c75406b3 in jpc_decode /tmp/portage/media-
libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/jpc/jpc_dec.c:262
    #5 0x7f28c74a2b84 in jas_image_decode /tmp/portage/media-
libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/base/jas_image.c:444:16
    #6 0x509eed in main /tmp/portage/media-
libs/jasper-1.900.27/work/jasper-1.900.27/src/appl/imginfo.c:219:16
    #7 0x7f28c65aa61f in __libc_start_main /var/tmp/portage/sys-
libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #8 0x419978 in _init (/usr/bin/imginfo+0x419978)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-
libs/jasper-1.900.27/work/jasper-1.900.27/src/libjasper/base/jas_seq.c:376:11 
in jas_matrix_asl
==26941==ABORTING

Affected version:
1.900.27

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00053-jasper-invalidread-jas_matrix_asl

Timeline:
2016-11-20: bug discovered and reported upstream
2017-01-16: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/01/16/jasper-invalid-memory-read-in-jas_matrix_asl-jas_seq-c

--
Agostino
=============================================
Comment 1 Swamp Workflow Management 2017-01-17 23:03:21 UTC 
bugbot adjusting priority
Comment 2 Matthias Gerstner 2017-01-18 12:15:05 UTC 
I cannot reproduce this in any of our codestreams. All exit programmatically
like this:

  cannot get marker segment
  cannot load image

Also valgrind shows no invalid reads.

But the current upstream git version *does* segfault. Also an older upstream
build with version 1.900.14 does segfault. I don't understand, why our
codestreams react differently. Maybe some patches or something in the build
environment...
Comment 3 Matthias Gerstner 2017-01-18 13:24:39 UTC 
I found out that only after this upstream commit, that fixes some integer
overflow issues, the PoC from this issue triggers:

https://github.com/mdadams/jasper/commit/d42b2388f7f8e0332c846675133acea151fc557a

This commit is first found starting in version 1.900.25. So none of our
codestreams is affected at the moment, but might become affected if we should
patch other CVEs that target the integer overflows (like bug 1020353).
Comment 4 Matthias Gerstner 2017-01-18 13:40:38 UTC 
This issue is not yet fixed on the upstream master git branch. So there seems
to be no fix available.
Comment 6 Michael Vetter 2020-08-13 13:38:50 UTC 
Fix https://github.com/jasper-software/jasper/commit/e2f2e5f4022baef2386eec25c57b63debfe4cb20

jasper-CVE-2017-5503-CVE-2017-5504-CVE-2017-5505.patch in home:mvetter:jasper-cves.
Will submit once more issues are fixed.
Comment 7 Michael Vetter 2020-08-26 08:49:01 UTC 
https://build.suse.de/request/show/224666 SLE-15 / jasper
https://build.suse.de/request/show/224667 SLE-12 / jasper
https://build.suse.de/request/show/224668 SLE-11 / jasper
Comment 8 Michael Vetter 2020-08-26 11:01:52 UTC 
Last SRs hat a copy-paste error in the changelog not referencing this bug.

SLE11: SR#225217
SLE12: SR#225218
SLE15: SR#225220

Fixes this.
Comment 10 Swamp Workflow Management 2020-09-21 13:15:52 UTC 
SUSE-SU-2020:2690-1: An update that fixes 17 vulnerabilities is now available.

Category: security (low)
Bug References: 1010786,1010979,1010980,1011829,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1092115,1114498,1115637,1117328,1120805,1120807
CVE References: CVE-2016-9397,CVE-2016-9398,CVE-2016-9399,CVE-2016-9557,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9154,CVE-2018-9252
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    jasper-1.900.14-195.22.1
SUSE Linux Enterprise Server 12-SP5 (src):    jasper-1.900.14-195.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2020-09-21 13:23:01 UTC 
SUSE-SU-2020:2689-1: An update that fixes 14 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1010979,1010980,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1114498,1115637,1117328,1120805,1120807
CVE References: CVE-2016-9398,CVE-2016-9399,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9252
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (src):    jasper-2.0.14-3.16.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src):    jasper-2.0.14-3.16.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    jasper-2.0.14-3.16.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    jasper-2.0.14-3.16.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    jasper-2.0.14-3.16.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Wolfgang Frisch 2020-09-24 13:49:47 UTC 
Fixed in all supported code streams.
Comment 13 Swamp Workflow Management 2020-09-24 16:18:40 UTC 
openSUSE-SU-2020:1517-1: An update that fixes 14 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1010979,1010980,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1114498,1115637,1117328,1120805,1120807
CVE References: CVE-2016-9398,CVE-2016-9399,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9252
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    jasper-2.0.14-lp151.4.9.1
Comment 14 Swamp Workflow Management 2020-09-25 10:18:39 UTC 
openSUSE-SU-2020:1523-1: An update that fixes 14 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1010979,1010980,1020451,1020456,1020458,1020460,1045450,1057152,1088278,1114498,1115637,1117328,1120805,1120807
CVE References: CVE-2016-9398,CVE-2016-9399,CVE-2017-14132,CVE-2017-5499,CVE-2017-5503,CVE-2017-5504,CVE-2017-5505,CVE-2017-9782,CVE-2018-18873,CVE-2018-19139,CVE-2018-19543,CVE-2018-20570,CVE-2018-20622,CVE-2018-9252
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    jasper-2.0.14-lp152.7.3.1